Topic: F-Secure alerted on Bitcoin.exe (0.3.21): "harmful" (Read 2410 times)
Are there dns servers for testnet or just the production network?
For reference, virus total output:
Code:
Complete scanning result of "bitcoin.exe", processed in VirusTotal at 04/29/2011 18:58:40 (CET).
[ file data ]
* name..: bitcoin.exe
* size..: 7490048
* md5...: ff24783f67e7827546b8c5d8a1961398
* sha1..: bb7d7410ce62c10609b648fd6841b1a535da8866
* peid..: -
[ scan result ]
AhnLab-V3 2011.04.29.01/20110429 found nothing
AntiVir 7.11.7.87/20110429 found nothing
Antiy-AVL 2.0.3.7/20110429 found nothing
Avast 4.8.1351.0/20110429 found nothing
Avast5 5.0.677.0/20110429 found nothing
AVG 10.0.0.1190/20110429 found nothing
BitDefender 7.2/20110429 found nothing
CAT-QuickHeal 11.00/20110429 found nothing
ClamAV 0.97.0.0/20110429 found nothing
Commtouch 5.3.2.6/20110429 found nothing
Comodo 8520/20110429 found nothing
DrWeb 5.0.2.03300/20110429 found nothing
Emsisoft 5.1.0.5/20110429 found nothing
eSafe 7.0.17.0/20110428 found nothing
eTrust-Vet 36.1.8298/20110429 found nothing
F-Prot 4.6.2.117/20110429 found nothing
F-Secure 9.0.16440.0/20110429 found nothing
Fortinet 4.2.257.0/20110429 found nothing
GData 22/20110429 found nothing
Ikarus T3.1.1.103.0/20110429 found nothing
Jiangmin 13.0.900/20110429 found nothing
K7AntiVirus 9.98.4519/20110429 found nothing
Kaspersky 9.0.0.837/20110429 found nothing
McAfee 5.400.0.1158/20110429 found nothing
McAfee-GW-Edition 2010.1D/20110429 found nothing
Microsoft 1.6802/20110429 found nothing
NOD32 6081/20110429 found nothing
Norman 6.07.07/20110429 found nothing
Panda 10.0.3.5/20110429 found nothing
PCTools 7.0.3.5/20110429 found nothing
Prevx 3.0/20110429 found nothing
Rising 23.55.04.03/20110429 found nothing
Sophos 4.64.0/20110429 found nothing
SUPERAntiSpyware 4.40.0.1006/20110429 found nothing
Symantec 20101.3.2.89/20110429 found nothing
TheHacker 6.7.0.1.184/20110429 found nothing
TrendMicro 9.200.0.1012/20110429 found nothing
TrendMicro-HouseCall 9.200.0.1012/20110429 found nothing
VBA32 3.12.16.0/20110429 found nothing
VIPRE 9154/20110429 found nothing
ViRobot 2011.4.29.4437/20110429 found nothing
VirusBuster 13.6.327.1/20110429 found nothing
[ notes ]
F-Secure DeepGuard: Suspicious:W32/Malware!Gemini http://www.f-secure.com/v-descs/suspicious_w32_malware!gemini.shtml
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
Vladimir,
I'm the guy who submitted the recent peer discovery stuff to bitcoinj and I plan on doing some work on dns discovery this weekend. ([mike] pointed me in the right direction.) It will most likely end up in bitcoinj pretty soon.
I'm the guy who submitted the recent peer discovery stuff to bitcoinj and I plan on doing some work on dns discovery this weekend. ([mike] pointed me in the right direction.) It will most likely end up in bitcoinj pretty soon.
Yes, but I want to integrate it as the default mechanism in BitCoinJ. I think at our current rate of progress by the end of the summer there'll be at least one and maybe two Android clients, and my plan is that they'll be using DNS rather than IRC. So don't give up on it :-)
Does not it just connect to bitseed.xf2.org and bitseed.bitcoin.org.uk?
Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
Can you give me a link to some documentations? How does this way to find peers works?
The problems with AV false positives are probably due to a mix of:
The solution is for Gavin to sign the binaries with a key he controls, so that cert can establish a good reputation. Then these alerts will start going away. Moving away from IRC based peer discovery would help too - it's not a very scalable mechanism anyway. Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
- Not signing the binaries. This is now standard practice in the Windows world.
- So every binary has a new, unknown reputation (just like viruses).
- The fact that it contains code to connect to IRC is a big red flag. Many bots have worked that way in the past and legitimate programs rarely if ever do it.
The solution is for Gavin to sign the binaries with a key he controls, so that cert can establish a good reputation. Then these alerts will start going away. Moving away from IRC based peer discovery would help too - it's not a very scalable mechanism anyway. Fortunately Jeff has done some good work on DNS based discovery, it's just not quite ready to replace IRC yet.
I agree, false positive. But the concern would be the possibility that Bitcoin.exe is being spread via botnets to people who don't want it (ostensibly for the purpose of stealing some CPU mining time). That'll make it "false positive" on virtually every antivirus platform out there after not too long, if it becomes known as something that "appears" on infected computers.
Maybe we should have a separate build of "Bitcoin, Botnet Edition" with the UI removed so those who want to go infect computers with it won't get the normal client tagged on AV vendors' lists of unwanted software. (tongue in cheek suggestion)
Maybe we should have a separate build of "Bitcoin, Botnet Edition" with the UI removed so those who want to go infect computers with it won't get the normal client tagged on AV vendors' lists of unwanted software. (tongue in cheek suggestion)
It's probably just a false positive. The bitcoin.exe I downloaded had the same MD5, so it probably wasn't intercepted at your end, at least.
I just upgraded to Bitcoin.exe 0.3.21 which I downloaded directly from SourceForge.
F-Secure popped up and told me this program is "harmful" (red color and bold is how popup was displayed), asked me if I really wanted to run the program, also offered to send a sample of the program for analysis.
It did not suggest the program was a "virus" or any similar notation. Nothing shows in the "Virus and spyware history" screen of F-Secure's UI.
I allowed the program to run. The MD5 hash of my Bitcoin.exe is ff24783f67e7827546b8c5d8a1961398
It occurred to me that someone may be mining with a botnet, and in the process of doing so, sending the entire Bitcoin client to victims (though not sure why doing this would be desirable to the botnet operator, unless perhaps it's going out with a pre-seeded wallet file with keys known to the bot herder). But if this is the case, it would make sense why it might be getting flagged by antivirus if it is appearing as unwanted "crap" on people's computers.
F-Secure popped up and told me this program is "harmful" (red color and bold is how popup was displayed), asked me if I really wanted to run the program, also offered to send a sample of the program for analysis.
It did not suggest the program was a "virus" or any similar notation. Nothing shows in the "Virus and spyware history" screen of F-Secure's UI.
I allowed the program to run. The MD5 hash of my Bitcoin.exe is ff24783f67e7827546b8c5d8a1961398
It occurred to me that someone may be mining with a botnet, and in the process of doing so, sending the entire Bitcoin client to victims (though not sure why doing this would be desirable to the botnet operator, unless perhaps it's going out with a pre-seeded wallet file with keys known to the bot herder). But if this is the case, it would make sense why it might be getting flagged by antivirus if it is appearing as unwanted "crap" on people's computers.
Jump to: